On Sun, Jan 01, 2017 at 11:12:19AM -0500, Wietse Venema wrote:
> Florian Piekert:
> > I am receiving compile errors for the recent snapshots. The 1224
> > compiles and works nicely, 1227 and 1231 do not compile on my
> > opensuse 42.2 (nothing changed from 1224).
>
> Postfix builds with OpenSSL from 0.9.7c to 1.1.0.
> We don't support GnuTLS, LibreSSL, etc.
That's the idea anyway, but I made a mistake, sorry about that. Patch
below:
diff --git a/src/tls/tls.h b/src/tls/tls.h
index dcb61f6..79b8d73 100644
--- a/src/tls/tls.h
+++ b/src/tls/tls.h
@@ -104,6 +104,9 @@ extern const char *str_tls_level(int);
#define ASN1_STRING_get0_data ASN1_STRING_data
#define X509_getm_notBefore X509_get_notBefore
#define X509_getm_notAfter X509_get_notAfter
+#define TLS_method SSLv23_method
+#define TLS_client_method SSLv23_client_method
+#define TLS_server_method SSLv23_server_method
#endif
/* SSL_CIPHER_get_name() got constified in 0.9.7g */
diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
index 117a607..bbe18f9 100644
--- a/src/tls/tls_client.c
+++ b/src/tls/tls_client.c
@@ -350,17 +350,9 @@ TLS_APPL_STATE *tls_client_init(const
TLS_CLIENT_INIT_PROPS *props)
* we want to be as compatible as possible, so we will start off with a
* SSLv2 greeting allowing the best we can offer: TLSv1. We can restrict
* this with the options setting later, anyhow.
- *
- * OpenSSL 1.1.0-dev deprecates SSLv23_client_method() in favour of
- * TLS_client_method(), with the change in question signalled via a new
- * TLS_ANY_VERSION macro.
*/
ERR_clear_error();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && defined(TLS_ANY_VERSION)
client_ctx = SSL_CTX_new(TLS_client_method());
-#else
- client_ctx = SSL_CTX_new(SSLv23_client_method());
-#endif
if (client_ctx == 0) {
msg_warn("cannot allocate client SSL_CTX: disabling TLS support");
tls_print_errors();
diff --git a/src/tls/tls_dane.c b/src/tls/tls_dane.c
index 10e14b7..53fac90 100644
--- a/src/tls/tls_dane.c
+++ b/src/tls/tls_dane.c
@@ -2138,7 +2138,7 @@ static SSL_CTX *ctx_init(const char *CAfile)
msg_fatal("Cannot allocate SSL application data index");
ERR_clear_error();
- if ((client_ctx = SSL_CTX_new(SSLv23_client_method())) == 0)
+ if ((client_ctx = SSL_CTX_new(TLS_client_method())) == 0)
msg_fatal("cannot allocate client SSL_CTX");
SSL_CTX_set_verify_depth(client_ctx, 5);
diff --git a/src/tls/tls_server.c b/src/tls/tls_server.c
index d68a119..84426a6 100644
--- a/src/tls/tls_server.c
+++ b/src/tls/tls_server.c
@@ -441,17 +441,9 @@ TLS_APPL_STATE *tls_server_init(const
TLS_SERVER_INIT_PROPS *props)
* SSLv2), so we need to have the SSLv23 server here. If we want to limit
* the protocol level, we can add an option to not use SSLv2/v3/TLSv1
* later.
- *
- * OpenSSL 1.1.0-dev deprecates SSLv23_server_method() in favour of
- * TLS_client_method(), with the change in question signalled via a new
- * TLS_ANY_VERSION macro.
*/
ERR_clear_error();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && defined(TLS_ANY_VERSION)
server_ctx = SSL_CTX_new(TLS_server_method());
-#else
- server_ctx = SSL_CTX_new(SSLv23_server_method());
-#endif
if (server_ctx == 0) {
msg_warn("cannot allocate server SSL_CTX: disabling TLS support");
tls_print_errors();
--
Viktor.
